Computerized devices, either stationary or mobile, are valuable targets for skillful, sophisticated, and motivated offenders.
Stationary computers are widely used for communicating and storing sensitive data, and are also widely used for controlling the operation of essential infrastructures, such as electrical turbines, water supply systems, railroads signaling, operation and control of vehicles, and various other tasks. Various of protection techniques have been developed to protect said stationary devices from malicious code, as any disturbance to their operation may result in a very significant damage.
The above mentioned security problem is also acute with respect to mobile devices. Modern mobile devices host various gadgets and sensors, such as GPS, Wi-Fi, voice, camera, accelerometers, etc. An unauthorized intrusion which introduces a malicious code may activate one or more of said sensitive component without the user's consent. This serious vulnerability is exploited by remote, hostile agents to gather sensitive information through the subverted mobile phone. For this purpose, and in similarity to stationary devices, a variety of security software has been developed and is widely used for protecting mobile devices. It should be noted, however, that the security model of most mobile phone operating systems discourages some typical monitoring solutions that are available for stationary devices.
In computer technology, the term “bootstrapping” (usually shortened to “booting”) usually refers to the process of loading the basic software into the memory of a computer after power-on or general reset, especially the operating system which will then take care of loading other software as needed. The bootstrap code, which is typically stored within a flash memory on the device, is considered by hackers as an attractive target for injecting malicious code to the operating system, as the bootstrap in fact initiates many pieces of genuine codes that are then used during the entire operation of the device.
As noted, a variety of security software has been developed and is widely used for protecting stationary and mobile devices. However, the fact that most of the security mechanisms execute within the same memory domain of which it is supposed to protect from malicious activities, exposes the security code itself to malicious manipulations.
One alternative solution for protecting a mobile phone from a malicious code is disclosed, for example, by Zefferer et. al. Zefferer proves that a malware running within the mobile phone has a unique characteristic “signature”, therefore various malware can be detected by means of monitoring the power consumption of the battery. More specifically, Zefferer suggests monitoring of the power consumption of the phone's battery to detect anomalies that may hint to a malicious activity by a running code. This solution is based on said assumption that a variety of malicious activities within the protected environment have characteristic and detectable behaviors, respectively, in terms of power consumption of the battery. More specifically, each of said malicious activities has its own “signature”. This solution in fact suggests performing a continuous monitoring of the power consumption from the battery of the telephone, and detection of such “signature”. Sometimes, the detection of this behavior involves a combined monitoring of the battery and one or more additional elements (such as the microphone, the camera, the WiFi, etc.). Still in some additional cases, and in a manner common in the field of computer security, this detection technique is used in association with other protection techniques. However, according to all of the prior art publications, said monitoring of the device battery, and optionally one or more additional sensors, is performed by a program that runs within the same computerized environment that it intends to protect.
The term “environment”, or “computerized environment” relates herein to a range of hardware and software, that are in turn accessible either physically (for example, via a USB connector) or wirelessly (for example, via a WiFi network). Typically an “environment” is a close computerized range to which access is allowed only to authorized persons or programs, however, a “closed” environment may be breached by unauthorized activities, either via said physical connection or wirelessly.
As noted, a variety of software tools have been developed to protect a computerized environment (i.e., either stationary computers or mobile devices), from malicious programs and activities. Substantially all of the security software tools, no matter what measures they apply, have one characteristic in common: They all run a protection code on the device (stationary or mobile) or network of devices that they intend to protect, i.e., they run within the same environment that they intend to protect. For example, the anti-virus tool executes a program that runs within the device to scan the one or more hard disks and the device memory. The firewall, in turn, runs a program within the internal computerized environment that masks the structure of the environment of the world outside of this environment.
As noted above, this manner of operation, however, has a significant drawback. The fact that a malicious code has successfully injected to within the protected environment is in itself a proof for the vulnerability of this environment. As a result of this vulnerability, and by the same manner that the malicious code was successfully injected to within the protected environment, a same or another code may, for example, manipulate the protecting code (for example, anti-virus, or any other protecting software) to perform one of the following: (i) to terminate its operation; (ii) to cause it to ignore the existence of the malicious code within the protected environment; or (iii) to manipulate the protecting code such that no report will be issued to the user with respect to the detection of the malicious code. Following this manipulation, the malicious code in fact can operate freely within the protected environment.
PCT/IL2015/050297, by the same applicants as of the present application, discloses a “System and Method For Detecting Activities Within a Computerized Device Based on Monitoring of its Power Consumption”. More specifically, this application discloses a security software for detecting malicious activities within a computerized environment, which comprises a monitoring circuit which is in turn entirely isolated from the computerized environment of the device, while it is still connected to the DC supply of the device, and it determines malicious activities by means of monitoring power consumption from the DC supply.
PCT/IL2015/050297, however, teaches the detection of malicious programs while they are running within the environment of the protected device. It does not provide any manner by which the initiation of such malicious programs during bootstrap can be detected, nor any manner by which a malicious manipulation of the bootstrap can be detected.
It is therefore an object of the present invention to provide protecting circuitry and code for detecting malicious manipulations within a bootstrap of a computerized device, by monitoring power consumption from the DC supply of the device.
It is another object of the present invention to provide said protecting code and circuitry for detecting malicious manipulations within a bootstrap of a computerized device in a manner which is fully isolated and protected from any external manipulation.
It is still another object of the invention to provide said protecting code and circuitry that can be applied to both stationary devices that are fed from a power supply and to mobile devices that are fed from a battery.
It is still another object of the invention to provide said protecting code and circuitry that can detect where and when along the stream of the bootstrapping the malicious manipulation has occurred.
Other objects and advantages of the invention will become apparent as the description proceeds.